Firmware Keys

Firmware Keys are keys which decrypt bootloaders, ramdisks, and root filesystem of iOS firmware, if those components are encrypted. Apple uses encryption to make it harder to analyze and modify them. Over time Apple changed the way they encrypt firmware files, hence the way to decrypt them and get decryption keys changed as well.

History
With the release of the iPhone came the IMG2 file format. They were used on all known iPhone OS 1.x firmwares. For the 1.1.x series, they were encrypted with the 0x837 key. The discovery of the 0x837 key led to the ability to decrypt any 1.x firmware.

Following IMG2 came the IMG3 file format. They were introduced with iPhone OS 2.0 beta 4, and have been in use ever since. In order to maintain their integrity, they use multiple layers of encryption. Apple took encryption seriously with IMG3 by utilizing AES (based on the Rinjndael key schedule). In terms of the pre-iPhone OS 3 VFDecrypt key, it is stored as plain-text in the "__restore" segment of the ASR image within the ramdisks.

The ramdisk keys can only be retrieved with the processor specific GID Key. The GID key is currently unretrievable and can only be utilized through the built-in AES engine. To complicate things even more, the engine is only accessible through a special bootrom or iBoot exploit (jailbreaks typically expose it with /dev/aes_0). This makes usage of the key nearly impossible.

However, once you have access to the AES engine, the entire system falls apart. You are able to upload an encrypted ramdisk and grab the decryption keys for it. Once you manage to decrypt the ramdisk, you can run it through GenPass to decrypt the Firmware key.

Beginning with iOS 6.0 beta, Apple tweaked their disk images so they no longer work with VFDecrypt. VFDecrypt will report that the filesystem is decrypted, but you will be unable to mount it. The current workaround is to use dmg from Xpwn to decrypt them. What has changed to break VFDecrypt is currently unknown. Decryption will take slightly longer due to dmg writing its progress to the terminal, but can be avoided (on Unix-like operating systems) by piping  to. The difference writing to the terminal versus not, however, is negligible.

To find the keys, you can either use the methods on AES Keys or the easier option for OS X, keylimepie.

Firmware Versions
This is a full and comprehensive list of all firmwares Apple Inc. has made available to the public in some way, be it the dev center or iTunes. This list also contains a few firmwares for which there never was an IPSW (as far as can be told) such as 4.2.5 for the CDMA iPhone 4 (iPhone3,3). These few builds came preinstalled on the device, but are not available for download.


 * 1.x
 * 2.x
 * 3.x
 * 4.x
 * 5.x
 * 6.x
 * 7.x
 * 8.x
 * 9.x
 * 10.x
 * 11.x