Firmware Keys

VFDecrypt Keys are the keys which can decrypt the files that come with the (beta) firmware. Apple uses a public/private key encryption to ensure the safety of their files. Over time Apple has changed the way to encrypt firmware files, thus the way to decrypt files as well as the way to get the keys has also.

IMG2 was the file format used prior to iPhone OS 2.0. For iPhone OS 1.1.x, IMG2 files were encrypted with Key 0x837.

IMG3 encrypted files contain encrypted versions of the VFDecrypt Keys as part of the KBAG (key bag). These can be decrypted with the GID-key. For jailbroken iDevices the VFDecrypt keys can be retrieved with the devices hardware AES engine. The VFDecrypt key for the root filesystem (the biggest file) image of an iDevice requires either a decrypted Restore Ramdisk or Update Ramdisk. Once you have a decrypted Restore or Update Ramdisk, GenPass can be used to gather the keys for the root filesystem.

For the root filesystem there is one key per device model, with no IV. You can mount this once it has been decrypted using your program of choice. (For example, 7-zip on Windows (after extracting the DMG on Windows, extract the biggest file with 7-Zip)

S5L8900
To decrypt a firmware file, decrypt the encrypted key and IV in the KBAG using GIDecrypt, or openssl with the key 5F650295E1FFFC97CE77ABD49DD955B3 and the iv 0

S5L8720
Business as usual, but keys and IVs have to be decrypted on the device still, unlike with the new S5L8900 KBAGs. Apple incorrectly assumed that by encrypting iBEC and iBSS they were being sly. They were not. You can decrypt those on a 2.2.1 aes setup no problem whatsoever :)

S5L8920
The iPhone 3GS firmware files are interesting. They have two KBAGs, which use AES256 instead of the S5L8900 and S5L8720 that are using AES128 still. The first KBAG has an identifier in it's header indicating that it is to be decrypted with the gid key, and the second is not known. For those that don't know how AES256 works, this now means that the first 0x10 bytes are the IV, and the remaining 0x20 bytes (not 0x10 anymore!) are the key.

Firmware Versions
This is a full and comprehensive list of all firmwares Apple Inc. has made available to the public in some way, be it the dev center or iTunes.