Obtaining IMG3 Keys

Method 1
This is one way of getting the IMG3 keys using iBoot/iBEC patch based on the Dev Team's and Geohot's exploits and was tested on both Linux and Windows OS. Epic thanks to #xpwn crew on irc.osx86.hu !

What you need

 * Pwned iPhone on iOS 1.1.4
 * iBooter
 * iBEC from iPhone1,1_1.1.4_4A102_Restore.ipsw
 * xpwntool
 * iPHUC (for Windows users only)
 * Any Hex Editor

Summary
Patched a function in the iBEC file so that it will branch to the desired memory location when the associated iboot command is called in ibooter. The desired memory location is at 0x09000000 as indicated by an earlier Geohot post and the iboot command chosen is "clearenv" in this documentation. The desired memory location will be housing the codes that enable and call the hardware AES engine so that the KBAG data can be decrypted for Keys/IV.

Unpack iBEC.m68ap.RELEASE.dfu
Utilizing xpwntool, enter this command:

xpwntool   i.e. xpwntool iBEC.m68ap.RELEASE.dfu unpacked_iBEC

Patching iBEC.m68ap.RELEASE.dfu
Before: ROM:180074A0                PUSH    {R4,R5,R7,LR} ;"clearenv" routine starts here ROM:180074A2                ADD     R7, SP, #8 ROM:180074A4                ADDS    R4, R1, #0 ROM:180074A6                CMP     R0, #1 ROM:180074A8                BGT     loc_180074B4 ROM:180074AA                LDR     R0, =aNotEnoughArgum

After: ROM:180074A0                LDR     R3, =0x9000000 ROM:180074A2                BX      R3 ROM:180074A2 ; --- ROM:180074A4 dword_180074A4 DCD 0x9000000           ; DATA XREF: ROM:180074A0�r ROM:180074A8 ; --- ROM:180074A8                BGT     loc_180074B4 ROM:180074AA                LDR     R0, =aNotEnoughArgum

You will notice that iBEC starts at 0x18000000 but in your Hex Editor, just do the following changes at 0x74A0: 0x000074A0: 00 4b 18 47 00 00 00 09

The idea is to tell clearenv routine to branch to 0x09000000 and BX is used because the codes to be used at 0x09000000 later will be in ARM. This "clearenv" routine is in THUMB mode. BX will enable them to switch. Save and name your modified iBEC, for example iBECmod.

Packing the modified iBEC
Using xpwntool: xpwntool iBECmod iBEC.patch -t iBEC.m68ap.RELEASE.dfu

Note that the original iBEC file has to be used after -t as a template. IBEC.patch will be your modified, packed iBEC file.

Windows
Put iPHUC and your patched iBEC in the same folder. Boot iPHUC and boot your iPhone in recovery mode. Type the following into iPHUC once it recognizes your iPhone: filecopytophone iBEC.patch It should return "filecopytophone: 0" Then type this: cmd go Your iPhone will reboot and display a blank black screen immediately. You are now ready to proceed with sending the payload and the KBAG that you want to decrypt.

Linux
Put your iPhone in recovery mode, connect the USB cable and launch ibooter. Press ^F (CTRL+F) and Enter, you will be prompted for a file name, type and patched iBEC file name and press enter. Next you will be prompted for memory location to load. Enter 0x9000000 for that and press enter.

Now type: go to execute the patched iBEC. Your iPhone will reboot into a blank screen and that's good. You need to reconnect the ibooter after the "reboot".

Calling The Hardware AES Engine
Type the following ARM codes in iBooter. Those were slightly modified geohot codes.

mw 0x9000000 0xe92d4090      // stmdb   sp!, {r4, r7, lr} mw 0x9000004 0xe59f0038      // ldr     r0, [pc, #56] mw 0x9000008 0xe59f1038      // ldr     r1, [pc, #56]   ; EnableDecrypt at 0x9000048 mw 0x900000c 0xe5810000      // str     r0, [r1] mw 0x9000010 0xe59f0024      // ldr     r0, [pc, #36]   ; Data ptr at 0x900003c mw 0x9000014 0xe3a01020      // mov     r1, #32 ; 0x20 bytes to be decrypted mw 0x9000018 0xe3a02001      // mov     r2, #1  ; 0x1 mw 0x900001c 0xe3a03000      // mov     r3, #0  ; 0x0 mw 0x9000020 0xe1a0700d      // mov     r7, sp mw 0x9000024 0xe24dd004       // sub     sp, sp, #4      ; 0x4 mw 0x9000028 0xe58d3000      // str     r3, [sp] mw 0x900002c 0xe59f400c      // ldr     r4, [pc, #12]   ; AESDecrypt at 0x9000040 mw 0x9000030 0xe12fff34      // blx     r4 mw 0x9000034 0xe1a0d007       // mov     sp, r7 mw 0x9000038 0xe8bd8090       // ldmia   sp!, {r4, r7, pc} mw 0x900003c 0x09000100 mw 0x9000040 0x18001791 mw 0x9000044 0x43a343a3 mw 0x9000048 0x180015c0 mw 0x9000100 0x5418c5de      // KBAG data from 5A347 3G restore Ramdisk mw 0x9000104 0x7e30b0ff mw 0x9000108 0x0ea9b00e mw 0x900010c 0x421f6288

Now, we are going to call "clearenv" in iBooter to execute the above codes (recall that we have patched "clearenv" in iBEC to allow it to branch to the above memory location). Simply type clearenv and enter.

Get The Keys/IV
Phew!! Now, let's get the goodies. Simply type: mdb 0x9000100

Let's see what you get in there!!!!

Method 2
There is no "easier" method. You need access to the phone's AES engine, or you need to extract the GID Key from the phone.

This is fully understood: The phone has an AES key embedded inside of it. That key is needed to decrypt the KBAG section of new IMG3 files.

I couldn't get OpeniBoot running, so I wrote some code to call the iBoot function. And no, I don't have the source, I wrote it just as you see it :) This patch is to 1.1.4 iBoot, and you also need to patch a function to jump to 0x9000000. ~geohot

iBoot Patch
//aes caller mw 0x9000000 0xE1A0700E mw 0x9000004 0xE59F0018 mw 0x9000008 0xE3A01020 //size mw 0x900000C 0xE3A02001 //1=gid-key 2=uid-key mw 0x9000010 0xE3A03000 mw 0x9000014 0xE58D3000 mw 0x9000018 0xE59F4008 mw 0x900001C 0xE12FFF34 mw 0x9000020 0xE12FFF17 mw 0x9000024 0x09000100 //data mw 0x9000028 0x18001791 //ptr to function //enable decrypt mw 0x180015C0 0x43A343A3

Tests on Key 0x837
//test encrypt mw 0x9000100 0x6C2D5A34 mw 0x9000104 0x58D05050 mw 0x9000108 0x31A40D78 mw 0x900010C 0x150E71F0 go 0x9000000 mdb 0x9000100 0x10

//test decrypt mw 0x9000100 0xA6588418 mw 0x9000104 0xDF3450D1 mw 0x9000108 0x3BF286E3 mw 0x900010C 0x7437D461 go 0x9000000 mdb 0x9000100 0x10